Secure Software Development Takes Center Stage

By Maty Siman, CTO, Checkmarx

2020 has taught us a lot, but one thing in particular that's stood out is that technology and the underlying software powering it is more essential than ever for maintaining continuity within our business settings and personal lives. Not only has software allowed us to maintain a sense of normalcy during this anything-but-normal year, but it's also enabled organizations to push the boundaries of innovation and creativity and position themselves for the long-haul of this digital transformation movement that's been building for years.

Today, every thriving company is ultimately a software company in some way, shape, or form, making software security a top priority for business leaders, security teams, and developers alike. As we look ahead to 2021, here are my top predictions to watch for in the software security space -- from open source to infrastructure as code, and everything in between.

Developing and releasing applications fast while maintaining security is a mindset that while talked about, is not being executed effectively. Cloud development needs to happen fast with as many drops as possible. And with that, the current philosophy from many organizations is to get software quickly into production and roll back if a bug is found, so they can push as many features as quickly as possible. But this doesn't work with security. You can't push code and then roll back to fix vulnerabilities, as it presents an opportunity for malicious actors to infiltrate your system. In 2021, the tools used for application security that integrate into the tool chain must work much more rapidly, scale to cloud environments, and present actionable findings in a format that developers can understand and use to make quick fixes.

Hackers find open source to be an easy way into organizations, and this trend will only accelerate in 2021. Rarely does a week go by without a discovery of malicious open source packages. Yes, organizations understand they need to secure the open source components they're using and existing solutions help them in removing packages that are mistakenly vulnerable (where a developer mistakenly puts a vulnerability into the package) -- but, they are still blind to instances where adversaries maliciously push tainted code into the packages. In fact, a recent study found that nearly one in five bugs within open source software are planted for malicious purposes. This ‘blind eye' needs to change in 2021.

As a baseline, it's best to stick to well-known (vs. immature) open source components for critical projects and to review the policies by which open source projects accept new contributors.

The overnight digital shift that occurred in 2020 forced many organizations to turn to the cloud. The cloud offers obvious advantages in order to support a dispersed workforce. But with this transition comes new challenges, with one of the biggest revolving around the emergence of infrastructure as code (IaC).

IaC has forced many developers into uncharted waters, due to the lack of proper training and mounting pressure to build code quickly in these environments. The actual architecture of this code is extremely complex and the security tools on the market today are generally too disparate to detect the gaps in the code. In 2021, I expect to see malicious attackers exploit developers' missteps in these flexible environments. To combat this, we will see a major concentration around cloud security training, IaC best practices and additional spend allocated toward software and application security to support the demand of a remote workforce and more complex software ecosystems.  

It's no secret that developers are trendsetters in organizations that are driving toward digital transformation. Integrating security into software development needs to take both a bottom up and top down approach. Developers are opinionated and increasingly influential, and you cannot force them to do or use something they don't buy into. To foster collaboration between security and development, security in 2021 will need to integrate into the development tool chain in a manner that the latter is most comfortable with. Developers are no longer willing to switch between different interfaces (one for development and one for security) -- nor should they have to if speed is demanded equally with security. They want to consume all data, whether we're talking about data pertaining to quality issues or security issues, in a streamlined manner. Security will meet developers where they are, using the interfaces and tools they prefer. 

Next year, we'll see a departure from "one trick pony" solutions. 2021 will bring AppSec market convergence as the demand from organizations to get a holistic perspective on the security posture of their applications from several vantage points (e.g., understanding application context and meshing it with infrastructure as code) drives adoption of one-stop-shop solutions that provide a full ecosystem view. When it comes to the security of open source in particular, more comprehensive views will allow organizations not only to know if they are consuming a vulnerable package, but also, whether or not the way that the application consumes it makes an attack or vulnerability possible.

This is one specific example. When a vulnerability exists in an open source component, in order for a hacker to exploit that vulnerability, three conditions need to be met: 1) you need to consume that open source in that vulnerable version, 2) your application needs to code to a specific function in that open source, and 3) your infrastructure as code needs to open a specific port. Only by having contextualized insight by combining these three pieces of data will you accurately be able to tell if you are vulnerable to attack. 

##

About the Author

Maty Siman, Founder and CTO at Checkmarx

Maty has been active in the IT industry for the past 12 years and has experience in software development, IT security and source-code analysis. Prior to founding Checkmarx, Maty worked for two years at the Israeli Prime Minister's Office as a senior IT security expert and project manager.